Executable PHP in a GIF image

Is it possible to place an executable PHP script,within the middle of a GIF image? Is it possible to still have the file appear as an image to a server without detecting the php? I though I read about this action somewhere earlier this year.

Afaik, it's impossible. The server only executes PHP scripts when the extension is defined as PHP script. So for this, GIF has to be defined as PHP script. But then it still won't be able to handle a PHP script in the middle of a GIF image, because GIF is binary and PHP isn't.

It is possible to create a PHP script that outputs a GIF image, but that's not what you want, is it?

Is it possible to place an executable PHP script,within the middle of a GIF image? Is it possible to still have the file appear as an image to a server without detecting the php? I though I read about this action somewhere earlier this year.

Click to expand...

This is used in those invisible 1x1 pixel tracking. So your code is

HTML:

<img src="http://www.site.com/script.php"></img>

Your script then records all the referer, ip, and any other info you want and saves it to a database and streams a 1x1 pixel transparent gif.

If you want to execute code on the users machine through an image tag then you should be learning about xss expliots.

Thanx for the valuable information. Thought this might have worked for a project I have been considering.

"If you want to execute code on the users machine through an image tag then you should be learning about xss expliots." I plan to look into this further because this sounds like possibly more what I need.

Is it possible to place an executable PHP script,within the middle of a GIF image? Is it possible to still have the file appear as an image to a server without detecting the php? I though I read about this action somewhere earlier this year.

Click to expand...

PHP is a server side language so it gets executed on the server, not on the user's machine. You can link to a PHP script disguised as an image using modrewrite, for example:

<img src="image.gif">

Use modrewrite to rewrite this to "script.php". The script then does whatever you want it to do (on the server, not on the user's machine) and then outputs an image which gets displayed on the user's machine. The only use for this, as far as I can see, is to prevent anyone knowing you're using an image tag to link to a PHP script. I don't think that's what you were after though, I only posted this because the forum is so empty and somebody might find the above info useful...

Is it possible to place an executable PHP script,within the middle of a GIF image? Is it possible to still have the file appear as an image to a server without detecting the php? I though I read about this action somewhere earlier this year.

Click to expand...

i dont know whether it is patched now
but one year ago what you are saying was possible, watch it
milw0rm.com/video/watch.php?id=57

it can be done in a folder create a custom .htaccess file and then add the following
This is adding a custom mime header that tell how the file is run and makes a PNG file be run through the php binary

AddType application/x-httpd-php .PNG

This is how people create the dynamic php signatures that show your ip address and such,

it is possible to hide a php shell backdoor script inside an image file with a little bit of editing.
the best workaround is to have all image files in the same directory and disable php from processing files inside the image folder.

to get php to execute that file you would have to get a script to call it with something like

Code:

include()

. at that point the extension doesn't matter. I'm guessing what the orig poster is getting at is he wants to execute code on someone's machine when they view an image on a site. This is possible against unpatched machine via a GDI exploit but good luck finding machines to infect.

Also, it would never be php code you would be embedding in an image. it would be some sort of client side scripting. Im not sure if it's still possible i recall visiting images before that execute vb script.

If your intention is to upload a php script named as a gif to a server in order to gain access to the server, you would want to try to do something like manipulate the value of a variable called in an include(). so like...
lets say its a forum and you rename yourscript.php to yourscript.gif then upload it to the forum as your avatar or an attachment.. you would then want to look for something in the forum code like

Code:

include($file)

; then try to alter the value of $file via the browser to point to yourscript.gif.

Note: there are some pretty neat PHP trojans out there that you can use to intrude upon any server that you can get the things uploaded to. A popular one is called c99.

Is it possible to place an executable PHP script,within the middle of a GIF image? Is it possible to still have the file appear as an image to a server without detecting the php? I though I read about this action somewhere earlier this year.

Click to expand...

Yes it is possible dont hae the time to code it right now but heres a hint of what I did last time I did it.

-Use htaccess to interprate that particular file as a php script i.e. first.gif is actually just a php file with gif as an extension.
-Execute your php script careful not to echo or print anything to the browser
-Finally open you gif with your php file i.e. first.gif opens real.gif and print the correct stuff to the browser.

Yes it is possible dont hae the time to code it right now but heres a hint of what I did last time I did it.

-Use htaccess to interprate that particular file as a php script i.e. first.gif is actually just a php file with gif as an extension.
-Execute your php script careful not to echo or print anything to the browser
-Finally open you gif with your php file i.e. first.gif opens real.gif and print the correct stuff to the browser.

Click to expand...

LOL!

"I have a truly marvellous proof of this proposition which this margin is too narrow to contain."~Pierre de Fermat

Note that adblockers might block our captcha, and other functionality on BHW so if you don't see the captcha or see reduced functionality please disable adblockers to ensure full functionality, note we only allow relevant management verified ads on BHW.